arXiv: 1504.06313v2 [quant-ph] 1 Dec 2016 


Randomness amplification under minimal fundamental assumptions on the devices 


Ravishankar Ramanathan/ Fernando G.S.L. Brandao/'^ Karol Horodecki/ 

Michal Horodecki/ Pawel Horodecki,^ and Hanna Wojewodka^'^ 

^Institute of Theoretical Physics and Astrophysics, National Quantum Information Centre, 

Faculty of Mathematics, Physics and Informatics, University of Gdansk, 80-308 Gdansk, Poland 
^Quantum Architectures and Computation Group, Microsoft Research, Redmond, Washington 98052, USA 
^Department of Computer Science, University College London, WCIE 6BT London, UK 
^Institute of Informatics, National Quantum Information Centre, Faculty of Mathematics, 

Physics and Informatics, University of Gdansk, 80-308 Gdansk, Poland 
^Faculty of Applied Physics and Mathematics, National Quantum Information Center, 

Gdansk University of Technology, 80-233 Gdansk, Poland 
^Institute of Mathematics, Faculty of Mathematics, Physics and Chemistry, 

University of Silesia, Bankowa 14, 40-007 Katowice, Poland 
(Dated: December 2, 2016) 

Recently, the physically realistic protocol amplifying the randomness of Santha-Vazirani sources 
producing cryptographically secure random bits was proposed; however for reasons of practical rele¬ 
vance, the crucial question remained open whether this can be accomplished under the minimal con¬ 
ditions necessary for the task. Namely, is it possible to achieve randomness amplification using only 
two no-signaling components and in a situation where the violation of a Bell inequality only guar¬ 
antees that some outcomes of the device for specific inputs exhibit randomness? Here, we solve this 
question and present a device-independent protocol for randomness amplification of Santha-Vazirani 
sources using a device consisting of two non-signaling components. We show that the protocol can 
amplify any such source that is not fully deterministic into a fully random source while tolerating a 
constant noise rate and prove the composable security of the protocol against general no-signaling 
adversaries. Our main innovation is the proof that even the partial randomness certified by the two- 
party Bell test (a single input-output pair (u*,x*) for which the conditional probability P(x*|u*) is 
bounded away from 1 for all no-signaling strategies that optimally violate the Bell inequality) can be 
used for amplification. We introduce the methodology of a partial tomographic procedure on the em¬ 
pirical statistics obtained in the Bell test that ensures that the outputs constitute a linear min-entropy 
source of randomness. As a technical novelty that may be of independent interest, we prove that the 
Santha-Vazirani source satisfies an exponential concentration property given by a recently discovered 
generalized Chernoff bound. 


Introduction.- Random number generators are ubiqui¬ 
tous, finding applications in varied domains such as sta¬ 
tistical sampling, computer simulations and gambling 
scenarios. Certain physical phenomena such as radioac¬ 
tive decay or thermal radiation have high natural en¬ 
tropy, there are also computational algorithms that pro¬ 
duce sequences of apparently random bits. In many 
cryptographic tasks however, it is necessary to have 
trustworthy sources of randomness. As such, devel¬ 
oping device-independent protocols for generating ran¬ 
dom bits is of paramount importance. 

We consider the task of randomness amplification, to 
convert a source of partially random bits to one of fully 
random bits. The paradigmatic model of a source of ran¬ 
domness is the Santha-Vazirani (SV) source HI, a model 
of a biased coin where the individual coin tosses are 
not independent but rather the bits Yi produced by the 
source obey 

= < l+e. (1) 

Here 0 < 5 < ^ is a parameter describing the reliability 
of the source, the task being to convert a source with 
£ < ^ into one with 5^0. Interestingly, this task is 


known to be impossible with classical resources, a single 
SV source cannot be amplified [Ij. 

In [2], the non-local correlations of quantum mechan¬ 
ics were shown to provide an advantage in the task of 
amplifying an SV source. A device-independent proto¬ 
col for generating truly random bits was demonstrated 
starting from a critical value of e{^ 0.06) ||2l|3, where 
device-independence refers to the fact that one need 
not trust the internal workings of the device. An im¬ 
provement was made in where using an arbitrar¬ 
ily large number of spatially separated devices, it was 
shown that one could amplify randomness starting from 
any initial e < In (2, we demonstrated a device¬ 
independent protocol which uses a constant number of 
spatially separated components and amplifies sources of 
arbitrary initial £ < ^ while simultaneously tolerating 
a constant amount of noise in its implementation. All 
of these protocols were shown to be secure against gen¬ 
eral adversaries restricted only by the no-signaling prin¬ 
ciple of relativity under a technical assumption of inde¬ 
pendence between the source and the device. In O, a 
randomness amplification protocol was formulated for 
general min-entropy sources and shown to be secure 
against quantum adversaries without the independence 
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assumption, the drawback of this protocol being that it 
requires a device with a large number of spatially sep¬ 
arated components for its implementation. Other pro¬ 
tocols have also been proposed (ZlEl, for which full se¬ 
curity proofs are missing. For fundamental as well as 
practical reasons, it is vitally important to minimize the 
number of spatially separated components in the pro¬ 
tocol. As such, devising a protocol with the minimum 
possible number of components (two space-like sepa¬ 
rated ones for a protocol based on a Bell test) while at 
the same time, allowing for robustness to errors in its 
implementation is crucial. 

Let U, X denote the input and output sets respectively, 
of honest parties in a device-independent Bell-based 
protocol for randomness amplification. A necessary 
condition for obtaining randomness against general no¬ 
signaling (NS) attacks is that for some input u* * G U, 
output X* G X and a constant c < 1, every no-signaling 
box {P(x|u) } that obtains the observed Bell violation has 
P(x = x*|u = u*) < c. i.e., 

3(x*,u*) s.t. V{P(x|u)} with B • {P(x|u)} = 0 

P(x = x*|u = u*) < c< 1, (2) 

where B is an indicator vector (with entries P(x, u)) 
encoding the Bell expression and B • {P(x|u)} = 

= 0 denotes that the box {P(x|u)} 
algebraically violates the inequality. Note that while 
the Bell inequality violation guarantees Eq.(|^ for some 
x*,u* for each NS box, here the requirement is for a 
strictly bounded common entry P(x = x*|u = u*) for 
all boxes leading to the observed Bell violation. It is 
straightforward to see that if Eq. ^ is not met, then 
the observed Bell violation does not guarantee any ran¬ 
domness and a device-independent protocol to obtain 
randomness cannot be built on the basis of this viola¬ 
tion. If in addition to the necessary condition in Eq. (|^, 
we also had for the same input-output pair (u*, x*) that 

c < P(x = X*|u = u*) (3) 

for some constant c > 0, then clearly all the outputs for 
input u* possess randomness and extraction of this ran¬ 
domness may be feasible. 

Here, we present a fully device-independent proto¬ 
col that allows to amplify the randomness of any 5- 
SV source under the minimal necessary condition in 
Eq. §. A novel element of the protocol is an ad¬ 
ditional test (to the usual Bell test) akin to partial to¬ 
mography of the boxes that the honest parties perform, 
to lower bound (in a linear number of runs) P(x = 
x*|u = u*) =: D • {P(x|u)}. Here D is an indica¬ 
tor vector with entries P(x, u) such that P(x, u) = 1 
iff (x,u) = (x*,u*). This test ensures that additionally 
Eq.§ is also met for a sufficient number of runs, a de¬ 
tailed description is provided in the Supplemental Ma¬ 
terial. The protocol uses a device consisting of only two 


Protocol I 

1. The e-SV source is used to choose the measurement set¬ 
tings u = (u<,,, v?^ri) foi' ^ ori the single device con¬ 
sisting of two components. The device produces output 
bits® = (x^„,x|J. 

2. The parties perform an estimation of the violation of the 

Bell inequality in the device by computing the empirical 
average Ln(x,iz) := B(xi,Ui). The protocol is 

aborted unless Ln{x, u) < 6 for fixed constant (5 > 0 . 

3. Conditioned on not aborting in the previ¬ 

ous step, the parties subsequently check if 
Sn(x,u) := > Hi. The protocol 

is aborted if this condition is not met for fixed /xi > 0 . 

4. Conditioned on not aborting in the previous steps, the 
parties apply an independent source extractor U 0 to 
the sequence of outputs from the device and further n 
bits from the SV source. 


FIG. 1: Protocol for device-independent randomness amplifi¬ 
cation from a single device with two no-signaling components. 

no-signaling components and tolerates a constant error 
rate. We show that the output bits from the protocol sat¬ 
isfy universally-composable security, the strongest form 
of cryptographic security, for any adversary limited only 
by the no-signaling principle. 

Main Result.- We present a two-party protocol to am¬ 
plify the randomness of SV sources against no-signaling 
adversaries, formally we show the following (the de¬ 
tailed security proof is presented in the Supplemental 
Material): 

Theorem 1 (informal). For every e < \, there is a proto¬ 
col using an e-SV source and a device consisting of two no¬ 
signaling components with the following properties: 

• Using the device poly(n, log(l/ 7 )) times, the protocol 
either aborts or produces n bits which are j-close to uni¬ 
form and independent of any no-signaling side infor¬ 
mation about the device and classical side information 
about the source (e.g. held by an adversary). 

• Local measurements on many copies of a two-party en¬ 
tangled state, with poly (1 — 2e) error rate, give rise to a 
device that does not abort the protocol with probability 
larger than 1 — 

The protocol is non-explicit and runs in poly(n, log (I/ 7 )) 
time. Alternatively it can use an explicit extractor to pro¬ 
duce a single bit of randomness that is j-close to uniform in 
poly(log ( 1 / 7 )) time. 

Protocol- The protocol for the task of randomness am¬ 
plification from s-SV sources is given explicitly in Fig. 
and illustrated in Fig. its structure is as follows. The 
two honest parties Alice and Bob use bits from the s-SV 
source to choose the inputs to their no-signaling boxes 
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FIG. 2: An illustration of the protocol for randomness ampli¬ 
fication using two no-signaling components. The bits from the 
SV source (black arrows) are used as inputs (u], u^) for the j- 
th run of the two spatially separated devices, with 1 < j < n, 
and the corresponding outputs (x],x^) are obtained. The in¬ 
puts and outputs of all the n runs x) are subjected to two 
tests: a Bell test for the violation of a specihc Bell inequality 
and a (partial) tomographic test counting a specific number of 
input-output pairs (u*,x*). If both tests are passed (denoted 
by ACC), the outputs x (orange arrows) are hashed together 
with further n bits t from the SV source using an extractor. 


in multiple runs of a Bell test and obtain their respective 
outputs. They check for the violation of a Bell inequal¬ 
ity and abort the protocol if the test condition is not met. 
The novel part of the protocol is a subsequent test that 
the honest parties perform which ensures when passed 
that a sufficient number of runs were performed with 
boxes that have randomness in their outputs. If both 
tests are passed, the parties apply a randomness extrac¬ 
tor to the output bits and some further bits taken from 
the SV source. The output bits of the extractor consti¬ 
tute the output of the protocol, which we show to be 
close to being fully random and uncorrelated from any 
no-signaling adversary. 

Description of the setup.- The setup of the protocol is as 
follows. The honest parties and Eve share a no-signaling 
box {p{x, z\u', w)} where u' = u'<n •= (u'l, • • •, u'n) and 
X = x<ri •= (xi,..., Xn) denote the input and output, re¬ 
spectively, of the honest parties for the n runs of the pro¬ 
tocol, with w and 2 : being the inputs and outputs of the 
adversary Eve. The devices held by the honest parties 
are separated into 2 components with corresponding in¬ 
puts and outputs u'^ and x\ respectively, for i = 1,2, i.e., 
u' = and x = (x^,x^). Note that them¬ 

selves denote the inputs and outputs of the n runs of 
the protocol for party i, i.e., u''^ = u'<^ := (u'^, ..., u'^) 


and X* = = (x|,..., x^). Here, for the j-th run of 

the Bell test, we have labeled the measurement settings 
of Alice u'] and those of Bob u'^ with the correspond¬ 
ing outcomes xj and x|, and denoted the joint inputs of 
Alice and Bob in this run as u'j = (u'],u'^) with corre¬ 
sponding joint output Xj = (xj, x|). The honest parties 
draw bits u from the SV source to input into the box, 
i.e., they set u' = u. They also draw further n bits t, 
which will be fed along with the outputs x into the ran¬ 
domness extractor to obtain the output of the protocol 
s := Ext(x, t). The adversary has classical information e 
correlated iou^t. The box we consider for the protocol is 
therefore given by the family of probability distributions 
{p{x^ z, 14 , t, e\u'^ w)}. 

Assumptions.- Let us first state formally the assump¬ 
tions on {p{x, z, u, t, e\u', w)}, see also [11. 

• No-signaling (shielding) assumption: The box 

satisfies the constraint of no-signaling between the 
honest parties and Eve as well as between the dif¬ 
ferent components of the device 

p{x\u ^w) = p{x\u')^ 
p{z\u'^w) = p{z\w)^ 

p{x'^\u') = p{x'^\u'^) 1 = 1,2. (4) 

Each device component also obeys a time-ordered 
no-signaling (tons) condition for the k e [n] runs 
performed on it: 

p{x\.\z^u''^ ^w^u^t^e) = 

P{xl\z,u'^f.,w,u,t,e) \/ke[n] (5) 

where := u'l,u'^. 

• SV conditions: The variables (u^t^e) form an SV 
source, that is satisfy Eq. Q. In particular, p{t\u, e) 
a.nd p{u\e) also obey the SV source conditions. The 
fact that e cannot be perfectly correlated to u, t is 
called the private SV source assumption m. 

• Assumption Al: The devices do not signal to the 
SV source, i.e., the distribution of (i4, t, e) is inde¬ 
pendent of the inputs {u', w): 

Y^pix,z , 14, t, e|i4', w) = p{u, t, e) V(i4, t, e, 14 ', i4;)(6) 

x,z 

• Assumption A2: The box is fixed independently 
of the SV source: 

p{x, z\u'^ w, 14, t, e) = p{x^ z\u'^ w) V(x, 2 :, 14', 14;, 14, t, e). 

( 7 ) 

In words, the main assumptions are that the different 
components of the device do not signal to each other 
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and to the adversary Eve. Additionally, there is also a 
time-ordered no-signaling (tons) structure assumed on 
different runs of a single component, the outputs in any 
run may depend on the previous inputs within the com¬ 
ponent but not on future inputs. Moreover, we also as¬ 
sume that the structure of the box p(x, z\u',w) is fixed 
independently of the SV source p{u, t, e), i.e., the box is 
an unknown and arbitrary input-output channel inde¬ 
pendent of the SV source. This precludes malicious cor¬ 
relations such as in the scenario where for each bit string 
u taken from the source, a different (possibly local) box 
tuned to u is supplied, in which case the Bell test may be 
faked by local boxes 113. Finally, it is worth noting that 
no randomness may be extracted under the assumptions 
stated above in a classical setting, whereas the Bell vio¬ 
lation by quantum boxes allows to amplify randomness 
in a device-independent setting. 

Security definition.-¥or Ln{x,u) = 
the first (Bell) test in the protocol is passed when 
Ln{x, u) < 5. We define the set ACCi as the set of (x, u) 
such that this test is passed: 

ACCi := {{x,u) : Ln{x,u) < (i}. (8) 

The 6 is the noise parameter in the Bell test which is cho¬ 
sen to be a positive constant depending on the initial 5 
of the SV source, going to zero in the limit oi e ^ ^ (see 
Theorem 8 in the Supplemental Material). Similarly, we 
define ACC 2 as the set of (x, u) for which the second test 
is passed, i.e.. 


ACC 2 := {(x, u) : Sn{x, u) > pi}. (9) 

We also define the set ACC = ACCi H ACC 2 of (x, u) for 
which both tests in the protocol are passed and ACC^ as 
the cut 


ACCu •= {x : {x,u) G ACC}. (10) 


After u is input as u' and conditioned on the accep¬ 
tance of the tests ACC, applying the independent source 
extractor HHS) 5 = Ext(x, t), one gets the box 

p{s, z, e\w,ACC) 

-E E p(x, 14, t, e|ic, ACC). (11) 

u Ext(a:,t)=s 

The composable security criterion is now defined in 
terms of the distance of p(s, z, ejic, ACC) to an ideal 
box p'^^ = j^^p{z,e\w,ACC) with p{z,e\w, ACC) = 
p{s, z, e\w, ACC). Formally, the security is given by 
the distance dc defined as 




p(s, z, ejic, ACC) — -—p{z^e\w, ACC) 

\b\ 


( 12 ) 

Outline of the proof - The proof of security of the pro¬ 
tocol is a modification of the proof we presented in 


(Tl with the crucial differences being due to the weak 
randomness that the two-party Bell inequality violation 
gives and an additional partial tomographic test im¬ 
posed on the device. 

To amplify SV sources, one needs Bell inequalities 
where quantum theory can achieve the maximal no¬ 
signaling value of the inequality [21/ failing which, for 
sufficiently small 5 , the observed correlations may be 
faked with classical deterministic boxes. However, Bell 
inequalities with this property are not sufficient, this is 
exemplified by the tripartite Mermin inequality 121IT^. 
This inequality is algebraically violated in quantum the¬ 
ory using a GHZ state, however for any function of the 
measurement outcomes one can find no-signaling boxes 
which achieve its maximum violation and for which this 
particular function is deterministic thereby providing an 
attack for Eve to predict with certainty the final out¬ 
put bit. While El and El considered Bell inequalities 
with more parties, the problem of finding two-party al¬ 
gebraically violated Bell inequalities (known as pseudo¬ 
telepathy games) E3l with the property of randomness 
for some function of the measurement outcomes was 
open. Unfortunately, none of the bipartite Bell inequali¬ 
ties tested so far have the property that all no-signaling 
boxes which maximally violate the inequality have ran¬ 
domness in any function of the measurement outcomes 
/(x) for some input u in the sense that for all such boxes 

K<p{f{x)\u) <^ +K (13) 

for some 0 < K < We say that Bell inequalities with 
property ( [T^ guarantee strong randomness. 

The Bell inequality we consider for the task of 
randomness amplification is a modified version of a 
Kochen-Specker game from 13 • The inequality involves 
two parties Alice and Bob, each making one of nine 
possible measurements and obtaining one of four pos¬ 
sible outcomes, which is explained further in the Sup¬ 
plemental Material. Even though it does not guarantee 
the strong randomness in Eq.(p^ for any function of the 
measurement outcomes /(x) for any input u, it has the 
redeeming feature of guaranteeing weak randomness in 
the following sense. For all no-signaling boxes which 
algebraically violate the inequality, there exists one mea¬ 
surement setting u* and one outcome x* for this setting 
such that 


0 < p[x = x*|u = u*) < 7 

V{p(x|u)} s.t B • {p(x|u)} = 0 (14) 

for some 0 < 7 < 1. The above fact is checked by linear 
programming and is shown in Lemma 1 in the Supple¬ 
mental Material. 

The novel technique in the form of a partial tomo¬ 
graphic test, subsequent to the Bell test, allows us to ex¬ 
tract randomness in this minimal scenario of weak ran¬ 
domness. This simply checks for the number of times a 
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particular input-output pair (u*, x*) appears, the analy¬ 
sis of this test is done by an application of the Azuma- 
Hoeffding inequality. We show that the SV source obeys 
a generalized Chernoff bound that ensures that with 
high probability when the inputs are chosen with such 
a source, the measurement setting u* appears in a lin¬ 
ear fraction of the runs. Thus, conditioned on both 
tests in the protocol being passed (which happens with 
large probability with the use of the SV source and good 
quantum boxes by the honest parties), we obtain that 
with high probability over the input, the output is a 
source of linear min-entropy. 

This allows us to use known results on randomness 
extractors for two independent sources of linear min- 
entropy II0, namely one given by the outputs of the 
measurement and the other given by the SV source. As 
shown in Proposition 16 of (ll, one can use extractors 
secure against classical side information even in the sce¬ 
nario of general no-signaling adversaries by accepting a 
loss in the rate of the protocol, i.e., increasing the output 
error. The randomness extractor used in the protocol is 
a non-explicit extractor from |4|. Alternatively, there is 
an explicit extractor that can be employed in the proto¬ 
col that has been found recently [6i|, but then it can pro¬ 
duce just one bit of randomness. It also follows from m 
that there exists a protocol to obtain more bits with an 
explicit extractor using a device with three no-signaling 
components by employing additionally a de-Finetti the¬ 
orem for no-signaling devices fWl (see Protocol 11 in fTt). 

Conclusion and Open Questions.- We presented a 
device-independent protocol to amplify randomness in 
the minimal conditions under which such a task is pos¬ 
sible, and used it to obtain secure random bits from an 
arbitrarily (but not fully) deterministic Santha-Vazirani 
source. The protocol uses a device consisting of only 
two non-signaling components, and works with cor¬ 
relations attainable by noisy quantum mechanical re¬ 
sources. Moreover, its correctness is not based on quan¬ 
tum mechanics and only requires the no-signaling prin¬ 
ciple. 

Important open questions still remain. One interest¬ 
ing question is whether the requirement of strict inde¬ 
pendence between the SV source and the devices can be 
relaxed to only require limited independence IITtI . An¬ 
other is to amplify the randomness of more general min- 
entropy sources that do not possess the structure of the 
Santha-Vazirani source. Finally, a significant open prob¬ 
lem is to realize device-independent quantum key dis¬ 
tribution with an imperfect source of randomness, toler¬ 
ating a constant error rate and achieving a constant key 
rate. 
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Supplemental Material. Here, w^e give the for¬ 
mal proof of composable security for the device¬ 
independent protocol for randomness amplification us¬ 
ing a device consisting of only two no-signaling compo¬ 
nents presented in the main text. 

Let us recall that the SV source is defined by the con¬ 
dition that bits Yi produced by the source obey 


l-e< W = 0|F,_i,...,Fi)<l+e (15) 


for some 0 < s < ^. Let us also recall the notation 
from the main text. The honest parties and Eve share 
a no-signaling box {p{x, z\u',w)} where u' = u'<n •= 
(u'l, • • •, u'n) and x = x<^ = (xi,..., x^) denote the 
input and output respectively of the honest parties for 
the n runs of the protocol, with w and 2: the respective 
inputs and outputs of the adversary Eve. The devices 
held by the honest parties are separated into m = 2 
components with corresponding inputs and outputs u''^ 
and X* respectively, for i = 1,2, i.e., u' = and 

X = (x^,x^). Here, themselves denote the inputs 

and outputs of the n runs of the protocol for party i, i.e., 
u'^ = u'<^ and Here, for the j-th run of the 

Bell test, the inputs of Alice are u'] and those of Bob 
are u'^ with the corresponding outcomes xj and x| re¬ 
spectively, and the joint inputs of Alice and Bob in this 
run are xYj = (u'], u'^) with corresponding joint outputs 
Xj = (xj, x|). The honest parties draw bits u from the SV 
source to input into the box, i.e., they set u' = u, they 
also draw a further n bits t which will be fed along with 
the outputs X into the randomness extractor to obtain 
the output of the protocol s := Ext(x, t). The adversary 
has classical information e correlated iou^t. The box we 
consider for the protocol is given by the family of prob¬ 
ability distributions {p{x^ z^u^t^e\u' ^w)} 


ASSUMPTIONS 


The Assumptions under which the Protocol is proven 
secure are formally stated in the main text. Prom As¬ 
sumptions A1 and A2, as well as no-signaling 

p{x\ufw) = p{x\u')^ 
p{z\u',w) = p{z\w), 

p{x'^\u') = p{x'^\u''^) i = l,2. (16) 

and time-ordered-no-signaling assumptions, 

p{xl\z,u'\w,u,t,e) = 
p{xl\z,u'l^,w,u,t,e) \/ke[n] (17) 

we find that the distributions {pw{x,z,u,t,e)} satisfy 
(see lHI): 


Pn,{x,u) = p{x,u) (18) 

Pw{u,t,e) = p{u,t,e) (19) 

'^W Pw{x,z\u,t,e) = Pw{x,z\u) (20) 

'^w Pw{x,z\u,t,e) = pw{x,z\u,e) (21) 

Pw{x\z, u, t, e) = pzx,e,w{x\u) is time-ordered no-signaling 

( 22 ) 

Pw{u\z, e), Pwit\z, u, e) are SV sources (23) 


The composable security criterion is given in terms of 
the distance dc defined as 


s,e z 

Let us define the quantity d' as 


p{s, z, e\w, ACC) - J^^p{z, eh, ACC) 

(24) 


d' 


E p(e|ACC)max> p(z, u\e,w, ACC) x 

w X. —rf' 

e 2;,w 


E 


p{s\z, 14, e, ACC) 


1 


(25) 


for any family of probability distributions 
{p{x, z,u,t,e\w)}. Now, for each e, let We and 
Pw^ {x, z, 14, t, e) denote the input of Eve and the 
corresponding probability distribution respectively that 
achieve the maximum d' in Eq. ( [^ . By Assumption 
A1 and the no-signaling conditions, p{e\w) = p{e) and 
p{x, u\w) = p{x, u) so that the maximum is achieved by 
a distribution q{x, z,u,t,e) = p{e)pw^{x, z,u,t\e). We 
can thus consider the quantity d = d' given as 


d= Yi, ■“> e| ACC) Y 


q{s\z^ 14, e, ACC) 


As shown in m, we have 


hi ■ 

(26) 


dc < h|d. 


(27) 
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From the assumptions stated, it is seen that q{x, u, z, t, e) 
obeys 

q{x^ z\u^t^e) = q{x^z\u) 

q{x\z^ u, t, e) = qt^e,z{x\u) is time-ordered no-signaling 
q{u\z, e) , q{t\z, u, e) obey the SV source conditions. 

(28) 


THE BELL INEQUALITY 


The Bell inequality we consider for the task of ran¬ 
domness amplification is a modified version of the bi¬ 
partite inequality in [2|. The inequality belongs to the 
class (2,9,4) signifying that it involves two parties Al¬ 
ice and Bob, each making one of nine possible measure¬ 
ments and obtaining one of four possible outcomes. We 
label the measurement settings of Alice and those of 
Bob with u^, G 9}. The corresponding out¬ 

comes of Alice are labeled and those of Bob with 
x^, x^ G {1,..., 4}. Note that from the notation in the 
main text these inputs and outputs would correspond 
to a particular run of the protocol uj,xj. Acting on a 
box {P(x|u)} with X = (x^, x^) and u = (u^, u^), the Bell 
expression may be written as 

B-{P(x|u)} = ^B(x,u)P(x|u) >4, (29) 

X,U 


Here B is an indicator vector with entries 



: (x, u) G Sb 

: otherwise 


(30) 


The minimum value achieved by local realistic theo¬ 
ries for this combination of probabilities is 4 while gen¬ 
eral no-signaling theories can achieve the algebraic min¬ 
imum value of 0. Crucially, there exist a quantum state 
and suitable measurements reaching this algebraic min¬ 
imum. 

The set Sb = for which B(x,u) = 1 is defined 
using the orthogonality hypergraph in Fig. |^which rep¬ 
resents a Kochen-Specker set of vectors from O display¬ 
ing state-independent contextuality in dimension 4. In 
this graph, the nine measurements are represented by 
the nine colored hyperedges each giving four outcomes, 
where the vertices represent rank-one projectors corre¬ 
sponding to the outcomes. Each party performs the nine 


measurements corresponding to the KS set, the set Sb 
consists of all 81 pairs of measurements u. For each u, 
the pair of outcomes x G 5'^ if the vertex representing 
outcome x^ in is connected by a hyperedge to the 
vertex representing outcome x^ in u^. A direct count¬ 
ing shows that out of the 4^ x 9^ = 1296 probabilities 
P(x|u), 504 enter the Bell expression. Moreover, in any 
deterministic assignment of I's and O's to these prob¬ 
abilities respecting the no-signaling and normalization 

VII I VIII 


IX 



IV 


FIG. 3: Illustration of the Kochen-Specker set used in formu¬ 
lating the bipartite Bell inequality 


constraints, at least four probabilities are assigned value 
1 giving rise to the local realistic bound. In quantum 
theory and in general no-signaling theories however, all 
504 probabilities may be set to 0 giving rise to the alge¬ 
braic violation of the inequality. 

In order to achieve the maximal violation within 
quantum theory, Alice and Bob share a maximally en¬ 
tangled state in dimension four, namely 

= (31) 

^ i=l 

The measurements they each perform correspond ex¬ 
actly to the 18 projectors defining the Kochen-Specker 
set in {3. Specifically, these projectors correspond to the 
following vectors 


|i;i) = (l,0,0,0)^ h) = (0,1,0,0)^ |i;3) = (0,0,l,l)^ |^;4) = (0,0,1,-1)^ 

\v^) = (1, -1,0,0)^ |i;6) = (1,1, -1, -1)^ \v7) = (1,1,1,1)^ |^;8) = (1, -1,1, -1)^ 
|^;9) = (1,0, -1,0)^ |^;io) = (0,1,0, -1)^ |^;n) = (1,0,1,0)^ |t;i2) = (1,1, -1,1)^ 
|^;a3) = (-1,1,1,1)^ = (1,1,1, -1)^ = (1,0,0,1)^ |t;i6) = (0,1, -1,0)^ 

|?;ir) = (0,l,l,0)^ |?;i8) = (0,0,0,l)^ 


( 32 ) 
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The nine measurements are defined by the following nine bases 


Ml = {\vi), |t) 2 ), It’s), 1 ^ 4 )) M 2 = (|V4), 1 ^ 5 ), l^e), 1 ^ 7 )) M 3 = (|t) 7 ), \vs), Ivg), |vio)) 

M 4 = (jvio), |^^ii)i bi2), l^^ia)) Ms = (jvia), \vu), l^is), bie)) Me = (Ir'ie); \vn), Ivis), bi)) (33) 

M7 = (jv2), bg), bn), bis)) Mg = (ba), bs), bn), bn)) Mg = (be), bs), bis), bn)) 


For this state and measurements all the probabilities en¬ 
tering the Bell expression are identically zero, so that al¬ 
gebraic violation is achieved. 

Apart from the fact that quantum mechanics violates 
the inequality, we would also like to ensure that a strong 
violation of the inequality guarantees randomness. Un¬ 
fortunately, none of the bipartite Bell inequalities tested 
so far have this property. The above inequality though 
has the following redeeming feature. Let u* = ( 1 , 2 ) be a 
particular pair of measurement settings and x* = (1,3) 
a chosen pair of outcomes for this setting. For all no¬ 
signaling boxes which algebraically violate the inequal¬ 
ity, it holds that 

0<P(x = x*|u = u*) < 5 

V{P(x|u)} s.t B ■ {P(x|u)} = 0 (34) 

It should be noted that for the quantum box which al¬ 
gebraically violates the inequality defined by the above 
state and measurements, we have Pg(x = x*|u = u*) = 
^ so that upon maximal violation, we expect a fixed 
number of outputs x* for inputs u* in the experiment. 
Moreover, for boxes with a Bell value 5, we will see in 
Lemma0that 0 < P(x*|u*) < |(3 + 25). So that, when 
one has mrge violation of the inequality and a sufficient 
number of outputs and inputs (x*,u*), it must be the 
case that a sufficient number of runs in the experiment 
were done with boxes that yield randomness. 

(Partial)Randomness from an observed Bell value 


where \U\ denotes the cardinality of U, i.e. the total 
number of settings in the Bell expression {\U\ = 81 for 
the Bell inequality we consider). If the Bell function 
P(x,u) is properly chosen, one can prove using linear 

programming that if B is small, the probabilities of any 
output are bounded away from 1. However, since our 
inputs to each device are chosen using a SV source, we 
will be only able to estimate the value of the following 
expression 

= E '^sv{vi)B{x, u)P(x|u), (36) 

U,X 

where usv (u) is the distribution from an (unknown) SV 
source. Let us note that the number of bits needed by 
each party to choose their settings is [log 9] = 4, so that 
u is chosen using 2 [log 9] =8 bits. We will show that for 

the Bell function, when is small, B^ is also small 
which implies randomness (for suitably chosen > 0 ). 

Lemma 2 . Consider a two-party no-signaling box {P{x\u)} 
satisfying 

_CT/ 

B <6, (37) 

for some constant (5 > 0, where B^^ is given by Eq. ( [3^ 
with B{x, u) given by Eq. pO] ). Then for the particular mea¬ 
surement setting u* and particular output x*, we have 

P^x = x*\u = un<\f + jff^y (38) 


Using the Azuma-Hoeffding inequality, we have that 
if the observed Bell value is small, then a linear fraction 
of the conditional boxes have a small Bell value for set¬ 
tings chosen with an SV source. To obtain a min-entropy 
source, we need to have that a linear fraction of the con¬ 
ditional boxes has randomness. In this section, we es¬ 
tablish the consequence to randomness of the observed 
Bell value. 

Let U denote all the settings appearing in the Bell ex¬ 
pression. We consider first the uniform Bell value 

:= p^B.{P(x|u)} = ^ E (35) 


Proof From the definition of an e-SV source we have 

Q - < ysv{v) < Q + . (39) 


SO that 




bSv ^ 


- n 


(|-e)8|L/r 




(40) 


We can therefore work with the Bell value for uni¬ 
formly chosen settings, relating it to the Bell value with 

SV source settings through Eq. 




(40 k 


For B 


< s, 


Eq.(40> gives that B < 


{^-sr\u\ 


— j_ 

— \U\- 
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Consider a bipartite no-signaling box P(x|u) satisfy- 
ing 

b" := ^B.(B(x|„)} < A, (41) 

with B the indicator vector for the Bell expression in Eq. 

and \ U\ = 81 the number of settings in the Bell ex¬ 
pression. 

The maximum probability for the chosen output and 
input for the given (uniform) Bell value can be com¬ 
puted by the following linear program 

•{P(x|u)} 

s.t. A ■ {P(x|u)} < c. (42) 

Here, the indicator vector Mu*,x* is a 4^ x 9^ ele¬ 
ment vector with entries (x, u) = Iu=u* Ix=x*/ i-e., 

Mi*,x*(x, u) = 1 for (x,u) = (x*,u*) and 0 otherwise. 
The constraint on the box {P(x|u)} written as a vector 
with 4^ X 9^ entries is given by the matrix A and the vec¬ 
tor c. These encode the no-signaling constraints between 
the two parties, the normalization and the positivity 
constraints on the probabilities P(x|u). In addition, A 
and c also encode the condition that B.{P(x|u)} < S for 
a constant ^ > 0 . 

The solution to the primal linear program in Eq. ( [42| 
can be bounded by a feasible solution to the dual pro¬ 
gram which is written as 

min : • Au*,x* 

s.t. A ’ 

Au*,x* > 0 . (43) 

We find a feasible Au*,x* satisfying the constraints to the 
dual program above that gives c^Au*,x* < |(3 + 2 ^). ^ 
We therefore obtain by standard duality of linear pro¬ 
gramming that 

P(x = x*|u = u*) < i(3 + 25). (44) 

Noting that 5 = we obtain the required bound. 


FROM EMPIRICAL VALUES TO TRUE PARAMETERS OE 
THE BOX 

In this section, we state the lemmas based on the 
Azuma-Hoeffding inequality and the Generalized Cher- 
noff bound which we will use to estimate the arithmetic 


^ The explicit vector Xu*,x* that is feasible for the dual program in Eq. 

S and gives the bound can be computed by standard techniques 
is available upon request. 


average of Bell values for the conditional boxes as well 
as the fraction of boxes which have a lower bound. Let 
us state the following Lemma based on the Azuma- 
Hoeffding inequality which we will use to estimate the 
arithmetic average of Bell values for the conditional 
boxes as well as the straightforward Lemma whose 
proofs can be found in m. 

Lemma 3. Consider arbitrary random variables Wi for i = 
0 ,1 ,..., n, and binary random variables Bi for i = 1,... n 
that are functions of Wi, i.e. Bi = fi{Wi) for some functions 
fi. Let us denote Bi = E{Bi\Wi-i ,..., Wi, Wo) for i = 

1 .. .., n and (i.e. Bi are conditional means). Define for k = 

1.. .. the empirical average 

k 

Lk = l^Bi (45) 

i=l 

and the arithmetic average of conditional means 

k 

Lk = l^Bi. (46) 

i=l 

Then we have 

Pr(|P,-I,| > 8 ) <2e--^ (47) 

Lemma 4. If the arithmetic average Ln of n conditional 

means satisfies Ln < 6 for some parameter 6 > 0, then in 
at least (1 — V6)n of positions i we have Bi < V6 


Proving the lower bound for a fraction of boxes 


In this section, we estimate the fraction of boxes for 
whichg(x^ =x*|ui = u*, u<i, x<^, 2 ;, e) is lower bounded 
by a constant. To do so, we perform a test using the 
random variables D^{x) for any fixed u 


D^{x) 



: Xi = X* A Ui = u* 

: otherwise 


for i = 1 ,..., n. The test function is defined as 


Sn (x.) u) 


1 J ^ 

n 


(48) 


with the corresponding average Sn{x, u, z, e) defined as 
1 ^ 

Sn{x^U.)Z^e) . ^ ^ ^^g(xdx<i,n,2;,e)-^(Xi; Uj)- (49) 

i=l 

The test checks if 


Sn{x,u)>pi (50) 

for a fixed pi > 0 . 

We now show that when the test accepts, with proba¬ 
bility 1 — 2 exp at least ^ boxes have ran¬ 

domness in the output for input setting u*, specifically 
that q{xi = x*|ui = u*, u<i, x<^, z^e) > n for fixed /i: > 0 . 
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Lemma 5. Assume that the test given by Eq. 
for the box q{xi,... ,Xn\ui,... z,e) accepts 
(for fixed pi > 0 ). Consider the set I^iu) := 

{i \ Ui = u"" /\ q{xi = x*\Ui = z, e) > n}. 

With probability at least 1 - 2 exp^-n^^, \^k,{u)\ ^ 


Proof When the test is passed, i.e., when Sn{x, u) > pi, 
by Lemma 1^ with probability at least 1 — 2 exp 
we have that Sn{x,u, z^e) > ^• In other words, we have 

= X*|Ui = U*,U<j,X<j,2:,e) > y, (51) 
i 

where we used the no-signaling condition g(x^ = 

x*|?x,z,e) = q{xi = x*|u^ = u*, u<i, x<i, 2 ;, e). Consider 
the set we have that 


{n-\Uu)\)n^\Uu)\ >^n (52) 

or 


Therefore, with probability at least 1 — 2 exp 

the set of boxes with = u* and q{xi = x*|ui = 
u*,u<i,x<^, 2 ;,e) > n for fixed /ii > 0 , 0 < /^ < | is 
of size at least 


□ 


A min-entropy source from randomness of conditional 
boxes 

In this section we show that if a device is such 
that a linear number of conditional boxes have ran¬ 
domness (in the weak sense that the probability of 
the outputs is bounded away from one for any one 
setting and this particular setting appears a linear 
fraction of times), then the distribution on outputs 
constitutes a min-entropy source. Let any sequence 
( 2 ;, e, xi, ui,..., Xn, Un) be such that x^ and u^, i G 
{l,...,n}, are of the form of x = (x^,x^) and u = 
(u^,u^), respectively. Consider that with large proba¬ 
bility over sequences ( 2 ;, e, xi, ui,..., x^, u^), a particu¬ 
lar setting u* appears a linear fraction pn times and that 
within this fraction, the probability of x* and its comple¬ 
mentary outcome x* is bounded away from 1, then the 
total probability distribution is close in variational dis¬ 
tance to a min-entropy source. To show this, we use the 
following lemma from [Tl 

Lemma 6. Fix any measure P on the space of sequences 
( 2 :, e,xi, wi,... t/n)* Suppose that for a sequence 

{z,e,xi,ui,... ,Xn,Un), there exists K C [n] of size larger 


than pn, such that for all 1 e K we have ui = u* 
conditional boxes Px^i,u<i {^i\uuz, e) satisfy 

' and the 

Px<i,u^i{xi\ui =u*,z,e) < 7 . 

(54) 

Then, P{xi, ... ,Xn\ui, ... ,Un,z,e) satisfies 


P{Xi,...,Xn\Ui,...,Un,Z,e) < 7 ^^. 

(55) 

SECURITY PROOF 


Let us first recall the definition of a min-entropy 
source and the notion of an independent source ran¬ 
domness extractor, specifying the extractor we will use 
to obtain randomness in our protocol. The min-entropy 
of a random variable S is given by 

-ffmm(S') = min log , 

sesupp(S) P{S = s) 

(56) 


where supp(5') denotes the support of S. For S G 
{ 0 , 1 }’^, the source is called an {n,Hmm{S)) min- 
entropy source. An independent source extractor Ext : 
({ 0 , ^ { 0 , 1 }"^ is a function that acts on k indepen¬ 

dent min-entropy sources and outputs m bits that are 
^ close to uniform, i.e., for k independent {n, Hmm{Si)) 
sources (with i G k}) we have 


\\Ext{Si,...,Sk)-Um\\i<t (57) 

where ||.||i is the variational distance between the two 
distributions and Um denotes the uniform distribution 
on the m bits. For use in Protocol I, we use a (non¬ 
explicit) deterministic extractor from lU that, given two 
independent sources of min-entropy larger than h, out¬ 
puts Ct{h) bits 2 “^^^^-close to uniform. Alternatively, in 
the protocol, one might also use the explicit extractor 
from j 6 ] that, given two independent sources of min- 
entropy at least \og^{h) for large enough constant C out¬ 
puts 1 bit with error 

Let us define the set Azf^^ as 

■={(2,u,e): 

Pi* c) ^ Lnix^ XL) “h ^Az') — 

^q{x\z,u,e) 

(58) 


and the cut 

Azi^^{u) := {(z,e) : ( 2 ^, 14 , e) G Az^^^}. 

(59) 

Let us also define the set Az^^ (u) for any fixed u as 
Azl^^u) :={{z,e): 

Pr (Sn{x, U, Z, e) < Sn{x, u) - ^ ) < eAz2} 

r^q{x\z^u,e) \ Z / 

( 60 ) 
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with CAzi = 2 e and eAz 2 = 2 e is and the set ACC ACCi Pi ACC 2 of (x^u) for which 

Az{u) as 


Az{u) := (?x) n Az 2 ^ (u). 


(61) 


both tests in the protocol are passed. Let us also define 
ACC^i := {x : {x,u) G ACC}. (67) 

We are now ready to formulate the following lemma. 


Pr \mdiyiq(x\z,u,e,ACC)< 

^qiz,u,e\ACC) \ x ^ ' 


Si 


Note that despite the apparent similarity in the nomen¬ 
clature of Az(^^{u) and Az 2 ^{u), they differ in the re¬ 
spect that Az^^^ is a set of large measure for every u Lemma 7. Consider the measure q{x, z, u, t, e) ^satisfying 

(as seen in Eq. ( |64| ) while Az^^^ (u) is a set of large mea- For constant 5i > 0, we have that 

sure only for most (typical) u. Here 

1 n 7 

Ln{x,u) = -Y]5(Xi,Ui), 
i=l 

1 "" 

Lnix^U^Z^e) = IEg('xi,Ui|x<i,u<i,2,e)-^(^i5 ^i)(^2) 

i=l 

Similarly, 

Sn(x,u) = -Y^D(Xi,Ui), 


q(ACC) 


> 1 - 


Si 


( 68 ) 




Sn(x^U^Z^e) ^ ^ , |x<^ ,n,2:,e)-^(^G ^i) • (^^) 


i=l 


Applying Lemmataking Wo = (z,e), Wi = (x^,Ui) 
for i = 1,..., n, we obtain by a direct application of the 
Markov inequality that 


q{z,u,e)>l-€Azi 

(z,u,e)E:Azl^^ 

El q{z,e\u) >1 - eAz 2 - 

(z,e)EAz2^ (u) 

To elaborate, we get from Lemma that 

Pr {Ln{x, u, z, e) > i„(a;, u) + 5az) < e^i 

(a:,u, 2 ;,e)~g(a:,u, 2 ;,e) 

Pr [ Pr iLn{x,u,z,e)>Ln{x,u)+5Az) 

{z,u,e)r^q{z,u,e) xr^q{x\z,u,e) 


q(ACC)' 

Proof. Let us write 

E g(z, 14 , e|ACC) maxg(x|2;, e, ACC) 

X 

z,u,e 

= ^(z, 14 , elACC) maxg(x|^, 14 , e, ACC) 

(z,u,e)^Azl^^ 

+ / g(2:, 14 , elACC) maxg'(x|2:, 14 , e, ACC). 

{z,u,e)£Az^^^ 

(69) 


and bound the two terms separately. The first term can 
(64) simply bounded as 

E g(z, 14, e|ACC) maxg(x| 2 ;, 14 , e, ACC) 

X 

{z,u,e)^Azl^^ 


maxa; g(a::|2;,w,e,ACC)<l 
< 


> iAzl] < £Azl 


(65) 


q (z,u,e, ACC) <q(z,u,e) 
< 


E q{z,u, e\ACC) 

{z,u,e)^Az^^^ 

q{z,u, e) 


E 


and the second inequality in Eq.([64| is obtained simi¬ 
larly. 

Also, as stated previously we define the sets ACCi 
and ACC 2 as the sets of (x, 14 ) for which the tests in the 
protocol are passed, i.e.. 


{z,u,e)^AzE 


q{ACC) 


Eq.m4 


'^E 


^Azl 

g(ACC) ‘ 


(70) 


ACCi •= {{x,u) : Ln(x,u) < S} 
ACC2 := {(x,u) : Sn(x,u) >/j^i} , 


Eor the second term, with (z^u^e) G AzE, we have 
that for fixed 14 , (z, e) G Az^^^ ( 14 ). We therefore split the 
( 66 ) second term as 
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E q(z^ elACC) maxg^fxlz, e, ACC) 

X 

(z,u,e)EAzl^^ 

E g(z, 14, e|ACC) maxg(x|2;, 14, e, ACC) + g(z, 14, e|ACC) maxg(x|2;, 14, e, ACC), 

X ^^ X 

u u 

{z^e)^Az\^^ {u)nAz2^ (u) (z,e)GAzf^^ (u)n(^Az2^ 

(71) 


where (Az 2 ^(u))^ denotes the complement of the set 
Az 2 ^{u). Let us first consider the case when {z,e) G 
Az^^^{u) n Az 2 ^{u), i.e., {z^e) G Az{u). We define the 
sets 

^ {x : Ln(x,u,z,e) < Ln(x,u) + 5 az}, 

^ {x-.Sn{x,U,Z,e)>Sn{x,u)-^}, 

(72) 

and the complements > (-’^ 32 ’” '^^) • 

By the definition of Az\^^{u), for {z,e) G Azf^^{u) 
and X G , we have 


Note that we will choose S such that 


i.e.. 



0 <(i< 


2v^ \ 

8 


< 1 


(79) 


to have the above probability bounded below unity. 
Similarly, by the definition of ACC 2 , Sn{x, u) > /ii, and 
by the definition of Xg 2 ^'^\ we have that 


Sn{x,u,z,e) > 


2 ‘ 


(80) 


q{x\z,u,e) < eAzi (73) 

for eAzi = Similarly, by the definition of 

Az 2 ^{u), for (z,e) G Az 2 ^{u) and x G , we 

have 


g(x|2;,i4,e) < eA;s 2 (74) 

A 

for eAz 2 = 2e ^ le. Therefore, for (^, e) G Az{u) and 
X G n n ACC^i, we have that 

q{x\z, u, e) < eAzi + ^^^ 2 - (75) 

Now let us look at the case when (^, e) G Az{u) and 
X G n ACC^. By the definition of 

ACCi, we have Ln{x,u) < 5, and by the definition of 
^^^,u,e) have that 


By Lemma for at least ji^n positions i, where /is = 
for fixed /^ > 0 , we have 

^x<i,u<i,^,e(Xi = X*|Ui = U*) > Hi. (81) 

Therefore, for (^, e) G Az{u) and x G 
^^^z,u,e) n n ACCu, we have that there 

are at least fi/^n positions i with = (/is + /12 — 1 ) for 
which 


^x<i,u<i,2;,e(Xi lu^ — U ) < 7 

for Xi = X* as well as 7 ^ x* . Here, 


7 = max 


(l-xj.i 



(82) 


(83) 


Ln{x, 14, 2 ), e) < (i + 6az- (76) 

By Lemma |4| for at least /i 2 ^ positions i where /12 = 1 — 
+ ^Az/ there is 

^q(xi,Ui\x<i,Uci,z,e)B{Xi^Ui) < \/(i + 5az = V^, (77) 

where we have simply set Saz = ^ for constant J > 0 . 
Therefore, by Lemma|^ at these /i 2 ^ positions i, we have 
that for the particular input and output pair = u* and 

Xi = X* 


In order to have /14 > 0 , i.e., /13 + /12 > 1 we will choose 
constant J > 0 such that 


/ii — 2 k , 

2{1-k) 


AA > 0 , 


i.e., <5 < - 


/ii — 2k 
2{1-k) 


Combining Eq. ( [7^ and Eq.([84| we have that 


(84) 


Q.x< 


2 ,e(Xi = X*|Ui = U*) < - I 3 ■ 


2V^ 


. (78) 


5 < min 




/ii — 2k 
_2(1 - k)_ 


1 2" 


(85) 
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Therefore, for any (z, e) G Az{u) and x G ACC^^, com- We can also simply bound 
bining Eq. and Eq.([^ we have from Lemmaj^that 


maxg(x|^, 14, e, ACC) = 

X 


< 


^^^xeACCu Q{x\z,u,e) 
g(ACC| 2 ;, i4, e) 
max{eA;^i + 

g(ACC| 2 ;, i4, e) 

( 86 ) 


Erom the above considerations, we can bound 

E q{z^ 14, e|ACC) maxg(x|z, i 4 , e, ACC) 

X 

u 

(z,e)EAz(u) 


Eq-H ^ I .^,.xmax{eAzi+£^^2,7'"'*"} 

2^ g( 2 :,u,e|ACC)- 


(2;,e)G242;(w) 


g'(ACC|^, 14, e) 


^ r iiAti-i q(z^u^e) 

< maxjeA^i+ eAz 2 , 7 ^ } X/ q(ACC) 

{z,u,e) 


< 


maxje^^i + eAz2, 7^-*”} 

g(ACC) 


(87) 


< 


E q(z, u, elACC) max 5 (a:| 2 ;, u, e, ACC) 

X 

U 

(z,e)EAzf^^ (u)n(^Az2^ (u)^^ 

q(z,u,e,ACC)<q(z,u,e) 

2] 9(^,ti,e|ACC) < 


(z,e)EAzf^^ (u)n(^Az2^ (u)'j'^ 


(z,e)e(Az^^(u))'' 


q(u)q(z,elu) EqJ^ 
q(ACC) - q(ACC) 


• ( 88 ) 


Inserting the bounds from Eqs. |87) and l [ 88 ) into Eq. 0 ^Az 2 ) + we get that 

gives 


E q(z^ 14, el ACC) maxg'(x| 2 :, 14, e, ACC) 

X 

{z,u,e)eAzl^^ 

^Azl + ‘^^Az2 + 7^^^^ 


Pr maxefxlz, 14, e, ACC) < 

^q{z,u,e\ACC) \ a: ^ ^ “ 


I ^ 

^(ACC) J 


> 1 




< 


q{ACC) 


(89) 


q{ACC) ‘ 
This completes the proof. 


(91) 


□ 


We now note the following lemma which follows 
Einally, inserting the bounds from Eqs.([^ and @ into horn the assumptions stated in the text (for a proof see 


Eq. ([69| gives 


E q(z^ 14, elACC) maxg'(x|^, 14, e, ACC) 

X 

{z,u,e) 

‘^{^Azl + ^Az2) + 7^4^ 


m) 

Lemma 8 . For any probability distribution q{x,z,u,t,e) 
satisfying Eq.^^ it holds that 


(92) 


q{x\z^ 14, t, e, ACC) = q{x\z^ 14, ACC). 


< 


g(ACC) 

Applying Markov inequality, setting Si = 2{eAzi 


(90) 


We use Lemma along with Lemma to obtain the 
following theorem whose proof follows a similar state¬ 
ment in 111 showing that either the tests in the proto¬ 
col are passed with vanishing probability or we obtain 
(| 5 '| = 2 ^^^^^^^^) secure random bits. 
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Theorem 9. Let n denote the number of runs in Protocol I 
and suppose we are given e > 0. For fixed pi > 0, 0 < n < 
set 6 > 0 such that 


6 < min 



1 

2 


Pi — 2n 
2(1 - n)_ 


(93) 


Then for any probability distribution Pw{x, z, u, t, e) satisfy¬ 
ing Eqs. there exists a non-explicit extractor s{x,t) 

with |5'| = values, such that 


4-p(ACC) (94) 

where dc is given by ( [^ as 


4:=5^max^ 


p{s^ z^ e\w^ ACC) — ——p{z^e\w^ACC) 
\b\ 


(95) 


Alternatively, one can use an explicit extractor s'{x,t) pro¬ 
ducing a single bit of randomness with 


4 • p{ACC) < , (96) 


for some constant C. 


PASSING THE TESTS WITH QUANTUM BOXES 

Finally, we check that for suitable parameters 6 and 
Pi both tests in the protocol are passed with the use of 
good quantum boxes by the honest parties. 


Generalized Chernoff bound for Santha-Vazirani sources 

The final part of the proof is to show that if the honest 
parties use good quantum boxes, the tests in the proto¬ 
col are passed with high probability We first show that 


the Santha-Vazirani source satisfies an exponential con¬ 
centration property given by the following generalized 
Chernoff bound, which will imply that the second test 
in the protocol is feasible, i.e., that in a linear fraction of 
the runs the setting u* appears. 

Theorem 10 . (Generalized Chernoff bound)het Xi 

for i G [n] be Boolean random variables such that for some 
0 < C < 1, we have that, for every subset S C [n] 
Pr [Aies^i = 1] < Then, for any 0 < ( < ^ < 1 


Pr 




i=l 


< g-nD(7|K)^ 


(97) 


where -C>(-||-) is the relative entropy function. In particular 

D{^\\0>2{'r-Cf. 

We show now that the SV source satisfies the assump¬ 
tion of the above theorem, i.e., that probability of not 
obtaining the input u* in a subset of size k is upper 

bounded by for ^ = 1 — (^ — with 2m being 

the number of bits the two parties need to choose a sin¬ 
gle u ( 2 m = 2 [log 9] =8 for the Bell inequality we con¬ 
sider). 


Lemma 11. For any non-empty subset of k indices 
(ii,..., i/c) C [n], and n consecutive instances of random vari¬ 
able U chosen according to measure v using 2mn bits from 
an e-SV source (where 2m is the number of bits required to 
choose a single instance u),for any fixed u* in the range ofU, 
we have 


fu*) < 



2m 


k 

(98) 


Proof. Let us assume, w.l.o.g. that 4 > ik-i > ... > ii- 
We have 


Pr(uij f u*,... ,\Xi^ ^u*) 

r^V 

= V Pr(ui,...,Ui, 7^u*,...,u„) 

{\ii. 

= V Pr(ui)Pr(uii 7^u*|ui,...,Uij_i)...Pr(ui, 7^u*|ui,.. 

^ r^V 



Uij^_i)...Pr(u„|ui,...,u„_i) 

r^V 


(99) 


The last inequality is obtained by noting that for terms with G {h,..., ik\, by the definition of the SV source 
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V 2m 


with 2m 


being the number of bits required to obtain any input u, 
and for the terms with ij ^ {n, • • •, i/c}, the sum over Mi. 
gives unity by normalization. □ 

Consider the random variable X defined as 


X - I ^ • Ui 7^ u 

* ’ \ 0 : otherwise 


for Ui chosen using the SV source z^(-). Theorem 10 
gether with Lemma 11 gives that 


to- 


Pr 




i=l 




( 100 ) 


or equivalently 


Pr 


'^Xi <jn 


ii=l 


> 1 _ g-2n(7-C)" 


( 101 ) 


2m 


for C = 1 - (I - and 0 < C < 7 < 1- For U{u) := 

= u*} and Ch := {u : \U{u)\ > /isn} for some 
constant /is > 0, Eq. (|101|) gives that 


^ u{u) > 1 - (102) 

u^Ch 


Therefore, we obtain that with probability 1 — 
g-2n(i-^5-C) , Ui = u* for a fraction /is of the n runs. 
We note that with the use of the state and measurements 
from Eqs.(|^, and (|^, we obtain a box {Pg(x|u)} 
that achieves maximal violation of the Bell inequality, 
i.e., B.{Pg(x|u)} = 0 and also has Pg(x = x*|u = u*) = 


-X, Therefore, for suitably chosen 5,/j^i > 0 the two tests 
in the protocol are passed with high probability with the 
use of good quantum boxes. 
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